SonarLint for Eclipse 7.3 released - Sync SonarQube issues for the relevant branch

Hello Eclipse users,

SonarLint already has the ability to synchronize issue suppressions, i.e. issues resolved as “Won’t Fix” or “False Positive” in SonarQube (you can learn more about SonarQube issues here 1). This way, you can focus only on relevant issues only in your IDE. Last year we also added the ability for SonarLint to fetch and display in your IDE complex injection vulnerabilities detected by SonarQube during your project analysis.

As you know, SonarQube (Developer Edition and above) supports branch analysis, and you can for example resolve an issue as “Won’t Fix” on a specific project branch. The caveat is that SonarLint, until today, wasn’t aware of the project branch you are actually working on, so it was only able to sync issues from your project main branch in SonarQube.

Over the last couple months, our team has been working to introduce branch awareness in SonarLint and today we have released it for Eclipse (in addition to VSCode, which was released in January). This means SonarLint is now able to adapt the issue synchronization to the Git branch you’re actually working with; and you’ve nothing to configure on your side, except making sure that your local project is bound to a SonarQube project.

On the limitations side, please be aware that, although SonarQube also supports Pull Request analysis, SonarLint is currently only syncing with a configured branch, and not will pull requests (we may introduce support for sync with pull request analysis later).

This release also brings plenty of new functionality and improvements, here are a couple of highlights:

  • In addition to XXE (XML External Entity) vulnerability, which is already supported, the Java analyzer now detects additional kinds of unsecure XML processing
  • We improved the performance of Python analysis by using serialized Typeshed symbols.

Here are the release notes if you’d like to learn more.

Enjoy SonarLint :sonarlint: in Eclipse!

1 Like

How exactly does SonarLint know what server-side branch the current workspace project corresponds to? Or is the new feature only available with a specific SonarQube server version / commercial version?

We are using 8.9 LTS on the server side (Community Edition with Community Branch Plugin) and the project is an SVN branch with Gradle. The new SonarLint plugin does not look any different from the previous version when it comes to binding, so I am wondering whether it’s actually doing any branch-specific binding at all.

Hi @CrushaKRool, the branch analysis feature is only available if you use commercial editions of SonarQube (starting from Developer Edition) - I edited the above to make it clear. Moreover it is only available if you use Git.

1 Like